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Samsung brings NFC tagging to the Galaxy S3 



Launches programmable Tectile stickers 
By Carly Page 
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Credit & Debit Cards 
Loyalty & Membership Cards 
Access Saved Deals 
Supports NFC 'Tap to Pay' 
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NFC to come as standard on all Nokia 

phones *— * ™«.«™*»«u» ar.no 

Future handsets to have the chip inside 

Apple patent suggests NFC for iPhone 5 
NFC Predictions by Deloitte : 200 Million NFC Devices by 2012 End 



NFC is coming to a phone near you 

NFC represents new "server-side" attack 
surface 



Other NFC work 



zvelo: Google wallet PIN brute forcing 

Intrepidus Group: Misdirecting four square, 
malware and NFC intents, parking meters, 
subway passes etc 

Ruhr University: MIFARE encryption cracking 

MWR: bus passes, gym memberships, etc 

Collin Mulliner: URL spoofing, snacks from 
vending machines 



NFC basics 



Set of communication protocols based on 
RFID standards including ISO 14443 

3.56 Mhz operating frequency +/- 7kHz 

Operating range less than 4 cm 

Data rates: 1 06, 2 1 2, 424 kbits/s 



Communication modes 



Passive 



nitiator provides carrier 
fields 

Target modulates existing 
field 

Active (P2P) 

nitiator and target 





How close 



Close but not touching 

Can read card through wallet in pocket 



NFC and the screen 



NFC is typically on when the phone's 



screen is on 



i.e. not when phone is "asleep" 

ICS - only on when phone is unlocked 

Can wake up the phone if you know the 
target's phone number 



NFC attack vectors 



a 



The subway attack" 
Card skimming" 



Subway attack 




When a subway isn't 

handy 



ATM card skimmers 




NFC "card skimming" 




Where might the bugs 

be? 



Low I eve 



The actual NFC parsing code in the 
(firmware), driver, NFC service, etc 



Higher leve 

Applications which consume data 
(without user interaction) 



Android NFC stack 




Nfc Service 
(com.android.nfc) 



hones* 



hbnfc ifii.sc 



iibnrc nacr.so 
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Tags 
(confi-google. 
android.tag} 



MeeGo NFC stack 
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libNFGLLCFAfM. 

K so A 



nfcd 



HbNFCNDEF.SO 



llbNFCLIBMSG 
□.SO 
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r 
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HbMFCLLCPCor 

e.so 



JIDNFGSTAGKA 
PI .SO 

IIDNFG5TAGK.B 




ll&NXP NFC 
AL.SO 



hbhiFGDAL 



haNFCOSALso 




loomciagwrrtcr-di 

alogplugin.sQ ... 

HbnTclilcrcceiVGd i 

dlalogplugln.so j 

hbnrcagcntdialog 

plugln.so ■ 

hbnTciiicscn-aaiai i 

l ogplugin.so j 




Specs 



Appbeatiofi Layer 



NFC Forum NDEF Messages 
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: ormalled 
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of product! 



Topaz 
(IwioHsion) 



Applicative Protocol 



MIFARE 
BtdlKMK 



MIFARE 

"liilnl- 

(NXP] 



MIFARE 

DESFire 
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ISO/1EC 781 G-d 
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protocol 



MIFARE 
prolDCol 
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MIFARE 
Ultralight 
protocol 



IS0 14443 
A4 
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ISO 14443 
B-4 
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LLCP 
(Peer 2 Peer) 



In Palliation 
Anttcollision 

ProlgcolAclnrjIion 



No Anli- 
collision 



ISO 14443 A3 1 15016092 



ISO 14443 
B-3 



FahCa/ 

JlSX 6319-4 

anc 

IS0 1B392 



RF 



ISO 14443 Ar2/ ISO 18CS2 



ISO 14443 
B-3 



ISC- lscr 
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Physical 
Chii- i-i mini--* 



ISO 144 43 A-1 MS01S092 



ISO 1444* 
B-1 



l /CA 



NFCB 



NFCF 



P2P 



NFC Forum spec rfic alien 
Vender jpociHc 
International standard 



Physica 



00% ASK using 
Manchester 
decoding 

0x26 = 
SENS_REQ (ISO 

4443-3) 

111110101101011011011 

S0110010 




0100110 = 0x26 = SENS REQ (ISO 14443-3) 



Protocol layer 



Type I (Topaz) 
MIFARE Classic 
Type 2 (MIFARE Ultra 
Type 3 

Type 4 (DESFire) 
LLCP (P2P) 




Type 2: Ml FARE UL 



Command set: READ,WRITE, SECTOR 



Byte Number 
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2 


3 


Block 




UID/ Internal 


IntemalO 


lnternall 


Internal^ 


Internals 





Serial Number 


Intemal4 


Internals 


InternalO 


IntpmalJ ^. 




Internal/ Lock 


Internals 


Internals _ 




Lockl 
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DataT 
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Lock / Reserved 
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Lock / Reserved 
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Lock / Reserved 
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Capability 
container 



NDEF data 



Type 4: DESFire 



• Command set: SELECT. READ. UPDATE 



NDEF Tag Application 
(D2760000850101h) 



CCfile(E103h) 




[XNDEF File Control TLV^ 



NDEF file (E104h) 




Application 

Empty Memory Area 



yz, Used Memory Area 



LLCP 



PDU types 

• SYMM. PAX.AGF. Ul. CONNECT. DISC 



LLCP Header 



LLCP Payload 



DSAP 



PTYPE 



SSAP 



Sequence 



*■■'$■ 



*ff. 



Information 



6 bits 



4 bits 



6 bits 



or a bits 



M«S bits 



7 U | 5 | 4 U | 2 | 1 | 



7|s|5|^.|3|2|ll0 



7|6|5|4j3J2|l|0 



7|6|5U|3|2|l|0| - |7|6|sNl3|2|l|Q 



byte offsa'. C- 



byta offset 1 



byte offset 2 



byte offset 2 or 3 — cep=nds cr PTYPE 



Destination service access point address field 
Payload data unit (PDU) type field 



DSAP 

PTYPE • 

SSAP = Source service access point address field 

Sequence = 



Information = 



Sequence field (B bits for formats that 'nclude sequence 
numbers, and bits for formats that do not) 

Information field (M is an integer value between and 
including and Ihe maximum information unit MIL) 
defined in this specification; * denotes multiplication) 



Application layer 



NFC Data Exchange Format (NDEF) 

Binary message format 

Different identifiers to describe types such 
as URI's, MIME types, NFC-specific type 

Specification for NDEF and each well 
known type 



SENS_REQ 

26 
SENS_RES (NFCID1 size: 

14 00 



double (7 bytes) , Bit frame SDD) 



SDD_REQ (CL1, SEL_PAR bc=2) 

93 20 

SDD_RES (CT, 04-e3-ef, BCC) 

88 04 e3 ef <80> 

SEL_REQ (CL1, NFCID1) 

93 70 88 04 e3 ef 80 <99 73> 

SEL_RES - NFCID not complete , type 2 tag 

04 <da 17> 

SDD_REQ (CL2, SEL_PAR bc=2) 

95 20 

SDD_RES (a2-ef-20-80 BCC) 

a2 ef 20 80 <ed> 



serial number, 

memory 

protections, 

CC, etc 



SEL_REQ (CL2, NFCID2) 

95 70 a2 ef 20 80 ed <72 
SEL_RES - NFCID complete , type 2 tag 

00 <fe 51> 



c8> 



READ - 08 

30 08 <4a 24> 
READ Response 

74 72 61 6c 69 
READ - 03 

30 03 <99 9a> 
READ Response 

el 10 06 00 03 
READ - 04 

30 04 <26 ee> 
READ Response 

03 17 dl 01 13 
READ - 05 

30 05 <af ff> 



00 X00 



17 dl 01 13 54 02 65 6e 73 75 70 <bl 62> 



54 02 65 6e 73 75 70 2c 20 75 6c <2a 00> 



NDEF data 



Extracted NDEF data 



17 01 54 65 6e 
6c 69 67 68 74 3f fe 

03 NDEF Message 
17 length 

Record 1 : 

dl - MB, ME, SR, TNF="NFC Forum well-known type" 
01 Type length 
13 Pay load length 
54 Type - "T" 

02 - Status byte - Length of IANA lang code 
65 6e - language code = "en" 

73 75 70 2c 20 75 6c 74 72 61 6c 69 67 68 74 3f 
= "sup, ultralight?" - text 
Record 2 : 

fe Terminator NDEF 



Fuzzing NFC 




Test case 
generation 




Delivering 
test cases 




Monitoring 
device 



NFC readers that work 



ACSACRI22U with libnfc 1.5. 



Card emulation for type 2 and 
cards 

SCL37I I with nfcpy 



LLCP with either SNEP or NPP 




Python module For near field communication 




Fuzzable with this setup 



Appbcatiofi Layer 



Ti) Ty^t 




Physical 

Chil- KI :IIKll--X 



NFC A 



NFCB 



NFCF 



NFC Forum spec die aticn 
Vender spline 
InJamatiHial standard 



Fuzzing in action 



Low level fuzzing 
performed 

Fuzz targets 

Nexus S running Android 2.3.3 Gingerbread 

Nokia N9 1 .2 Harmattan PR 1 .2 
30,000 - 60,000 test cases 
Each test case took between 5- 1 (or more) 




Test cases used 



Ty;pe2 




4000 



4000 



yypc t 



4000 



4000 



LLLr 



Cz 



2000 



2000 



_CP 



2000 



2000 



9000 



9000 



NiDEf 






1626 



1626 










ciusua 






538 



538 






mi*. 



NDEF - short BT 




\3E1 : % yard 
Tea. 



1265 



2440 



1246 



2440 



32572 
52362 



1265 



2440 



1246 



2440 



15062 
34852 



Android Java 
Exceptions 



E/Nf cService (17875) 
E/Nf cService (17875) 
E/Nf cService (17875) 
$Nf cServiceHandler . 
E/Nf cService (17875) 
$Nf cServiceHandler . 
E/Nf cService (17875) 
$Nf cServiceHandler . 



: failed to parse record 

j ava . lane . Array IndexOutOf BoundsException 

at com. android. nfc.Nf cService 
parseWellKnownUriRecord (Nf cService . Java : 2570) 

at com. android. nfc.Nf cService 
setTypeOrDataFromNdef (Nf cService . Java : 2616) 

at com. android. nfc.Nf cService 
dispatchTaglnternal (Nf cService . Java: 2713) 



BQ f « * * D Hll ■ 11:05 




m it 


, 


A Sorry! 


The application Tags (process 
com.google.android.tag) has 
stopped unexpectedly. Please 
try again. 


Force close 


Report 




i oucn & noia an item ana wnen it 
vibrates, drag it where you want 

3„ f6 | " 

J 






■ ■ ■ ■ 



More Android Java Exceptions 



D/Ndef PushServer ( 3130): java.io. IOException 

D/Ndef PushServer ( 3130): at 

com . android . internal . nfc.LlcpSocket. receive (LlcpSocket. Java: 193) 

D/Ndef PushServer ( 3130): at 

com . android . nf c . ndef push . Ndef PushServer 

$ConnectionThread . run (Ndef PushServer . Java : 70) 

D/Ndef PushServer ( 3130): about to close 

W/dalvikvm( 3130) : threadid=8 : thread exiting with uncaught 

exception (group=0x40015560) 

E/AndroidRuntime ( 3130): FATAL EXCEPTION: Ndef PushServer 

E/AndroidRuntime ( 3130) : Java. lang.NegativeArraySizeException 

E/AndroidRuntime ( 3130): at 

com . android . nf c . ndef push . Ndef PushProtocol . <ini t> (Ndef PushProtocol 

. Java: 97) 

E/AndroidRuntime ( 3130): at 

com . android . nf c . ndef push . Ndef PushServer 

$ConnectionThread. run (Ndef PushServer . Java : 86) 



* * >■< 4 D Hll 1 1:57 




pp n 




A Sorry! 


The application Nfc Service 
(process com. android. nfc) has 
stopped unexpectedly. Please 
try again. 


Force close 


Report 




Touch & hold an item and when it 
vibrates, drag it where you want. 

3 of 6 






C m 



Android null ptr deref 



Send a CC PDU without first establishing a 



BAD PDU: 05a0060f 636f 6d2e616e64726f 69642e6e7070 



0x80528flc in Handle_ConnectionOriented_IncommingFrame () 
from /home/cmiller/debugging/libnf c . so 

• • • 

(gdb) x/i $pc 

0x80528flc <Handle_ConnectionOriented_IncommingFrame+952>: stmia r3, {rO, rl} 

(gdb) print /x $r3 

$3 = 0x0 



Android Double Free 



D/NdefPushServer (13178) : created LLCP service 
D/NdefPushServer (13178) : about to accept 
D/NFC JNI (13178) : Discovered P2P Target 
D/NfcService (13178) : LLCP Activation message 



socket 



E/NFC JNI (12 


.178) 
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release- 


keys ' 




I /DEBUG 
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I /DEBUG 
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73) 
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73) 



free() 



phLibNfc_Llcp_CheckLlcp () returned OxOOff [NFCSTATUS_FAILED] 

*"*"*■ *"*"*■ *"*"*■ *"*"*■ *"*"*■ *"*"*■ *"*"*■ *"*"*■ *"*"*■ ■*"*•■*• ■*•■*"*• ■*•■*"*• ■*•■*"*• ■*•■*"*• ■*•■*"*• ■*•■*"*• 

Build fingerprint : ' google/so jua/crespo : 2 . 3 . 3/GRI54/105536 : user/ 



pid: 13178, tid: 13178 >» 
signal 11 (SIGSEGV) , code 1 
rO afd46494 rl 00000004 
r4 00295530 r5 afd46450 
r8 00000001 r9 0000008a 
ip afd46474 sp bed97220 




pc 00013d06 
pc 000144be 
pc 0004375c 
pc 00042b84 



com . android . nf c <« 

(SEGV_MAPERR) , fault addr 0000000c 
r2 00000000 r3 afd46450 
r6 00000000 r7 40002410 
10 00000002 fp bed9725c 
lr afdl0e60 pc afdl3d06 cpsr 00000030 

/system/lib/libc . so 
/system/lib/libnf c . so 
/system/lib/libnf c . so 



abort() 



Source code 



2047 /* Llcp methods */ 
2048 

2049 static jboolean com_android_nfc_NfcManager_doCheckLlcp (JNIEnv *e, jobject o) 

2050 { 
2051 
2052 
2053 
2054 
2055 
2056 
2057 
2058 
2059 
2060 



NFCSTATUS ret; 

jboolean result = JNI_FALSE; 

struct nfc_jni_native_data *nat; 

struct nfc_jni_callback_data *cb_data; 



CONCURRENCY LOCK ( ) ; 



/* Memory allocation for cb_data */ 

cb_data = (struct nfc_jni_callback_data*) malloc (sizeof (nfc_jni_callback_data) ) ; 



2081 if (ret != NFCSTATUS_PENDING && ret != NFCSTATUS_SUCCESS) 

2082 { 

2083 LOGE ( "phLibNf c_Llcp_CheckLlcp ( ) returned Ox 
%04x[%s] " , ret, nfc_jni_get_status_name (ret) ) ; 

free (cb_data) ; 

go to c 1 e an_and_r e turn ; 



2084 
2085 
2086 



} 



2101 c 1 e an_and_r e turn : 

2102 nfc cb data deinit(cb data) ; 

2103 CONCURRENC Y_UNLOCK ( ) ; 

2104 return result; 

2105 } 



Status of vulnerability 



Fixed in ICS (4.0.1) by Google 
(independent of me) 

Gingerbread devices are still vulnerable 

92% of currently deployed Android 
devices 



Other crashes 



I /DEBUG 
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I /DEBUG 


( 73): 
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I /DEBUG 


( 73): 
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< 


: Parcel : : 


> 




I /DEBUG 
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#07 pc 


0001ae68 
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73) : 


#08 pc 0001aea8 / 


<ar 


: Parcel : : 
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DEBUG ( 


73) : 


#09 pc 0001aed4 / 
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: Parcel : : 


> 




DEBUG ( 


73) : 


#10 pc 0001aef8 / 


< 


: Parcel : : 


> 



/system/lib/libc. so < > 

/system/lib/libc. so < > 
/system/lib/libc. so <???> 
/system/lib/libc. so < > 
/system/lib/libc. so < > 
/system/lib/libbinder . so 

/system/lib/libbinder . so 

/system/lib/libbinder . so 
system/lib/libbinder . so 
system/lib/libbinder . so 
system/lib/libbinder . so 



Other crashes 
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( 


73) : 


#00 


pc 


00015ca4 
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#01 


pc 


00013614 
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pc 
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#03 


pc 


0004996e 
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#04 


pc 


00053fda 



< > 

I /DEBUG ( 73) : 
I /DEBUG ( 73) : 

< > 
I /DEBUG ( 73) : 



#05 pc 000494da 
#06 pc 00005310 



/system/lib/libc. so < > 

/system/lib/libc. so < > 
/system/lib/libc. so < > 
/system/lib/libdvm. so < > 

/system/lib/libdvm. so 

/system/lib/libdvm. so <???> 
/system/lib/libnf c_jni . so 



#07 pc 000118e4 /system/lib/libc. so < > 



Other crashes 



I /DEBUG ( 73) 

I /DEBUG ( 73) 

I /DEBUG ( 73) 

I /DEBUG ( 73) 

< > 
I /DEBUG ( 73) : 

I /DEBUG ( 73) : 

< > 
I /DEBUG ( 73) : 



#00 pc 00013256 

#01 pc 000144da 

#03 pc 0004996e 

#04 pc 00053fda 



/system/lib/libc. so < > 
/system/lib/libc. so < > 
/system/lib/libdvm. so < > 

/system/lib/libdvm. so 



#05 pc 000494da /system/lib/libdvm. so <???> 
#06 pc 00005310 /system/lib/libnfc_jni.so 

#07 pc 000118e4 /system/lib/libc. so < > 



crash occurs in unlink_large_chunk in dlfree() 
when invalid "back" ptr is referenced 



Other crashes 
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pc 
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<dvmAttac 
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/system/lib/libc . so 
/system/lib/libc . so 
/system/lib/libc . so 
/system/lib/libdvm. so 

/system/lib/libdvm. so 
/system/lib/libdvm. so 



< > 

<dlmalloc> 
<calloc> 



<???> 



Beyond the NFC stack 



What applications handle the actual NFC data 
by default 
without user interaction 




Nrc service 
(com.-arKlrold.nac) 



llDlUC.SO 
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MbnTc jnLso 
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hbnrc nacr.so 
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Tags • 
(cflm.googla. 
and raid, tag) 
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At first glance - boring! 



«£ USB connected 




# tf Q IO ft QD 
New tag collected 
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Discard 

















Cool NFC magic 



Android: Beam 
Nokia: Content sharing 
Nokia: Bluetooth pairing 
Samsung S-Beam 







Android Beam 



Introduced in ICS 

Two devices can share content via NFC 
LLCP + SNER fallback to LLCP + NPP 




More Android Beam 



mplemented with Android intents 
Browser, Contacts, and Tags regi 



<!-- Accept inbound NFC URLs at a low priority 
<intent-filter android : priori ty="- 101 "> 
<action 
android :name=" " /> 

<category 
android: name=" android. intent. category .DEFAULT" /> 

<data android: scheme=" " /> 
<data android: scheme=" " /> 
</intent-filter> 



— > 




Bigger attack surface 



139 


File format 




Web related 


html 




CSS 




js 




xml 


Image 


bmp 




gif 




ico 




JPg 




wbmp 




svg 




png 


Audio 


mp3 




aac 




amr 




og§ 




wav 


Video 


mp4 




3pg 


Font 


ttf 




eot 



Demo! 





JtJ 



Thanks to Josh Drake and GeorgWicherski (along with 

entire Crowdstrike team) 



Android NFC attack 

surface 




Nfc Service 
[com.android.nic) 



llDllfC.SO 

libntc jnl.so 

r > 

iibnrc nacr.so 

fv A 





=^ 



Tags 
[com.google. 
android.tag} 




Browser 
(com .google, an 
droid. browser) 



Nokia Content Sharing 



Like Android Beam for Nokia ph 
Again without user interaction 



despite what settings would te 




Nokia N9 attack 

urface 
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JPg 




gif 
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Videos (video-suite) 


mp4 




wmv 




3gP 




mp3 




aac 




flac 




wma 




amr 




wav 




ogg 


Documents (office-suite) 


pdf 




txt 




doc(x) 




xls(x) 




ppt(x) 



MeeGo NFC attack 

surface 



nfcd 
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SO 
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llbNFGDAL 
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Choose public bugs... 



For example, latest N9 firmware ships with 
ibpng 1.2.42 



Vulnerability Warning 

All '' modem 11 versions of libpng through 1.5.9,1.4.10,1.2.48, and 1 .0.58 , respectively , fail to correctly handle nalloc ( j failure for text chunks (in 
png_sct_toxt_2 ( j), which can lead to memory corruption and the possibility o^u^^on of hostile code. This serious vulnerability has been 
assigned ID CVE- 201 1-3048 and is fixed in version 1*5*10 (and versions 1*4*1 if Ind 1*0*59, respectively , on the older branches) , released 
29 March 2012. v / 



Vulnerability Warning 

All versions of libpng from 1 .0 .6 tlirough 1 .5.8, 1 .4.8, 1 .2.46, and 1 .0.56, respectively , fail to correctly validate a heap allocation in 
png_decompre3s_chunk{ ) , which can lead to a buffer-overrun and the possibility of execution of ho^^w^k on 32-bit systems. This serious 
vulnerability has been assigned ID CVE- 20 11-3026 and is fixed in version 1*5*9 (and versions 1*4* M And 1*0*57, respectively , on the older 
branches) , released 1 8 Pebru ary 20 1 2 . 



Or private bugs... 



PPTs 



=3572= 
=3572= 
=3572= 
=3572= 
=3572= 
=3572= 
=3572= 
=3572= 
=3572= 



Thread 2 : 

Invalid free() / delete / delete [] / realloc() 
at 0x48347B4: free (vg_replace_malloc . c : 366) 

free_mem (in /lib/libc-2 . 10 . 1 . so) 

libc_freeres (in /lib/libc-2 . 10 . 1 . so) 

_vgnU_f reeres ( vg_j?reloaded . c : 61 ) 

libc_enable_asynccancel (libc-cancellation . c : 66) 

??? (in /lib/libglib-2.0.so.0.2800.4) 



by 0x5DE780F 
by 0x5DE7lF7 
by 0x48285B7 
by 0x5DB5AC3 
by 0x682 6CAF 



= Address 0x7491f30 is not stack 'd, malloc'd or (recently) free'd 



PDFs 



==4002== Invalid write of size 1 

==4002== at 0x7290FB4: SplashXPathScanner : : clipAALine (SplashBitmap* , int* , 

int*, int) (in /usr/lib/libpoppler . so. 13 . . 0) 

==4002== Address 0xf8dc5090 is not stack 'd, malloc'd or (recently) free'd 



Another MeeGo (Koffice) 

bug 



bool STD::read( U16 baseSize, U16 totalSize, OLEStreamReader* stream, bool preservePos ) 

• • • 

grupxLen = totalSize - ( stream->tell () - startOffset ); 

grupx = new U8 [ grupxLen ] ; 

int offset = ; 

for ( U8 i = 0; i < cupx; ++i) { 

U16 cbUPX = stream->readU16() ; // size of the next UPX 
stream- >seek ( -2, G_SEEK_CUR ); // rewind the "lookahead" 
cbUPX +=2; // . . .and correct the size 

for ( U16 j = 0; j < cbUPX; ++j ) { 

grupx [ offset + j ] = stream->readU8 () ; // read the whole UPX 
} 



koffice-233/filters/kword/msword-odf/wv2/src/stylesxpp 



N9 Bluetooth pairing 



N9 Bluetooth pairing 



Device will bluetooth pair with another device 
given a special NDEF message 

Prompts user only if (non-default) "Confirm 
sharing and connecting" option chosen 



[0000] d4 0c 27 6e 6f 6b 69 61 2e 63 6f 6d 3a 62 74 01 . . ' nokia . com : bt . 

[0010] 00 Id 4f 92 90 e2 20 04 18 il 32 33 34 00 00 00 . .0 1234... 

[0020] 00 00 00 00 00 00 00 00 00 0c 54 65 73 74 20 6d Test m 

[0030] acbook 



My whole life IVe been 

ooking for this 




When I should have 
been looking for this 




Turn on confirm 



c 


harinql 






Confirm sh 


Connect? 


This device will be added as trusted 

Bluetooth device to enable easy 

connections via NFC 
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Mobile Pwn20wn 2012 
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Galaxy S3 hacked via NFC at Mobile 
Pwn20wn competition 

Using this exploit attackers can take full control of a Galaxy S3 
smartphone, researchers demonstrated 

By Lock Esscrs 

September 19, 2012 10:55 AM ET '~J 9 Comments 



The attack 



Samsung phones have S-Beam 

Stock Android only allows web page sharing 

S-Beam allows sharing of many media files 

Researchers from MWR Labs exploited a 
0-day flaw in the document viewer 



S-Beam 



Solutions 



Fix low level bugs 

Turn on user notifications that are VERY 
specific 

Prevents subway attack 

With specific enough notification, 
prevents skimming attack 

Hope users are smart enough to defend 



Summary 



NFC opens up a new avenue for nearby 
server-side attacks without user interaction 

NFC stacks are hard to test 

I released code to help researchers do 
this 

Vendors should allow option to confirm 
before NFC data passed to applications 
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Questions? 



Contact me 




cmiiier(a?openrce.org 



